How Your Ad Blocker Can Track You Across the Web

How Your Ad Blocker Can Track You Across the Web
Photo: Kirill KUurdyavtsev, Getty Images

Ah, ad blockers. Even if you aren’t among the growing number of people downloading one of these extensions, chances are you’ve heard people sing their praises for all sorts of reasons. They make the web a less cluttered, less laggy, less invasive place to be. So naturally, the money-hungry tech upstarts have found a way to ruin these tools for their own gain.

Cybersecurity researcher Sergey Mostsevenko broke down exactly how this sort of scheme works in a blog post from last month. As he put it, the average ad blocker leaves tiny traces of data on the websites you visit. When those traces are collected en masse, a bad actor (or tech company) could use these signals to identify your specific browser — a process literally called “fingerprinting” in the ad-targeting industry. And like a fingerprint, these signals are basically impossible to burn off without taking some pretty drastic steps.

“Fingerprinting” refers to a particularly scuzzy form of tracking that’s designed to be near-impossible for users to shake off. Cookies can be cleared, your cache can be flushed, and you can browse exclusively in incognito mode, but your browser’s “fingerprint” is cobbled together from a slew of different signals: your IP address, your window size, your language settings, and much, much more. When you visit a web page that has a hidden piece of fingerprinting code on it, these data points get sucked in and a hashed jumble of numbers and letters — your unique fingerprint — gets spit out. By tracking which fingerprints crop up on which sites, these companies can covertly track you no matter how much you beg them to stop.

Naturally when you use an ad blocker, it’s going to give off some sort of signal to the site you’re visiting — but not enough to uniquely identify your browser. In order to do that, Mostsevenko explained, you need to get a bit creative.

Ad blockers come in all shapes and sizes, but they all work the same way: scanning for specific elements on a page (like a piece of ad code) and stopping them from loading into view. In order to know what’s worth blocking, most major ad blockers rely on different filter lists that are tailored for all sorts of ad annoyance you want to shut down: German-language ads, mobile ads, pop-ups, and more. Some blockers even let users upload their own filter lists if the available options aren’t enough. Kind of like different bouncers at different nightclubs, each of these lists will quash its own collection of HTML snippets and ad URLs whenever they’re flipped on.

There might be close to 1 billion ad-blocking internet users across the U.S., but every one of them is using an amalgamate of different tools and filters that’s probably different from the ad-blocker sitting next to them. In short, it’s prime fingerprinting fodder — with a bit of legwork.

Mostsevenko’s very long, very technical blog explains this legwork in depth, but the short version is this: first, cobble together the list of adblockers you want to detect from website visitors and figure out which elements each of these blockers block. Then add a tiny piece of code to a webpage — like a strip of HTML — that loads all of these different elements one at a time, somewhere out of sight, keeping tabs on which elements load on the page and which ones don’t. If the company creating these fingerprinting tools is tech-savvy enough, this job shouldn’t take more than a second.

Mostsevenko tested a sample blocker-sniffing program while using Safari’s browser on a 2015 MacBook Pro to see how much lag it added to a webpage’s load time. Checking for every element across 45 unique ad-blocking lists took about 3 milliseconds. Upping that number to 400 lists took the program a whopping… 20 milliseconds to complete — a lag you likely won’t notice unless you’re really into competitive console games.

“The list of filters that a person uses is only likely to change if they switch ad blockers, or if their installed ad blocker undergoes a significant update,” Mostsevenko wrote. But this is bound to happen eventually. Filter lists get tweaked and changed by developers all the time. Ad blockers get overhauled after they’re compromised or caught pulling their own schemes with people’s data. Those people might get a new computer, try a new browser, or turn their text two sizes smaller. People can change, which means fingerprinting based on ad blockers — or any other piece of our digital lives — will never be perfect. But in a world where cookies are crumbling and app trackers are choking, data is data, and the data industry is still worth at least $US200 ($272) billion. Your ad-blocking data has value to someone, somewhere — a fact that might offer a weirdly dystopian self-esteem boost if you’re as brain-poisoned as I am.

Capitalist hellscape aside, there’s still a few steps you can take to keep your browser — ad-blocked or not — from being fingerprinted. The Electronic Frontier Foundation suggests disabling Javascript from running whenever you can, and using a popular browser like Safari or Firefox which have each taken their own steps to quash fingerprinting attempts. Keep extensions to a minimum, invest in a good VPN, and no matter how hard a website begs, always always turn down their cookies.